1. Home
  2. Cisco Systems
  3. HW & SW VPN client -- need routing workaround

HW & SW VPN client -- need routing workaround

We have a 3005 concentrator with 3002s at three branches of a clinic. Their local subnets are 192.168.0.0, 192.168.1.0 and 192.168.3.0. I live on a family farm and connect to a satellite router that is maintained by my daughter-in-law's employer, so I can't change the

192.168.0.0 subnet I'm on.

So, I can get into the concentrator with VPN Client or a 3002 from home using a 192.168.10.0 address, but I can only ping hosts on the x.x .1.0 and x.x.3.0 subnets.

I tried putting a LinkSys router in between the 3002 and the local subnet with another set of IP addresses on those two ports, hoping the tunnel would get me past the local subnet and into the 192.168.0.0 subnet at the main clinic. But no, those requests keep being treated as local and I don't hit the clinic subnet -- except strangely,

192.168.0.30 is their 3002 and I can hit it. But nothing else. I made sure there are no entries in the routing table for 192.168.0.0 -- but maybe there should be.

Or are my ping packets hitting the 192.168.0.0 hosts at the main clinic and not getting back?

Is there a way around this? Seems like something that would happen to others, since 192.168.0.0 or .1.0 are so common both as corporate subnets and on the cable/DSL routers etc.

Thanks in advance,

Bob Wilson

Reply to
RoverDrover
Loading thread data ...

Why not just change the LAN using subnet 192.168.0.0 to something else ???

Reply to
Merv

On our non-3005, non-3002 hardware, we configure VPN policies on the VPN server that are pushed to the VPN client. If we refrain from enabling Split Tunneling, "all traffic" from the VPN client passes through the tunnel. While the tunnel is up, the reachable 192.168.0.0 network would be the one at the clinic, rather than the one to which the VPN client is physically connected.

I think your issue is Split Tunneling (perhaps known by a different name on your platform).

Perhaps you could setup a separate profile on the Concentrator for your VPN client connections, that did not permit Split Tunneling. A separate profile for yourself would not affect other users that may derive a benefit from Split Tunneling.

Reply to
News Reader

Thank you both for your input. I believe split tunneling is the problem. No chance of changing the subnet at the big clinic just to help with remote access -- they'd say we were moving the mountain to Mohammed (will I get in trouble for saying that?)

Again, I appreciate your responses and I will go at it from the split tunneling angle.

Bob W.

Reply to
RoverDrover

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.